[驱动开发]WIN7 32位 64位 的内核对象类型之获取

A- A+
流沙团 驱动开发 5003View 0

需要了解 内核对象的结构

32位的代码


view source
print?
01#include "ntddk.h" 
02VOID MyUnload(PDRIVER_OBJECT    pDriverObject)
03{
04    KdPrint(("驱动卸载成功\n"));
05}
06NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path)
07{
08    UNICODE_STRING mingzi;
09    PVOID dizhi1;
10    ULONG *biao_neihe1;//内核表的地址
11    int i=2;
12    RtlInitUnicodeString(&mingzi, L"ObGetObjectType");
13    dizhi1=MmGetSystemRoutineAddress(&mingzi);
14    if (!MmIsAddressValid(dizhi1))
15    {
16        KdPrint(("函数地址获取失败\n"));
17    }
18    else
19    {
20        KdPrint(("函数地址%x\n", dizhi1));
21    }
22    biao_neihe1 = *(ULONG**)((ULONG)dizhi1 + 15);
23         
24    while (biao_neihe1[i])
25    {
26        KdPrint(("%d %wZ : %x\n", i, biao_neihe1[i] + 8, biao_neihe1[i]));//遍历内核表
27        i++;
28    }
29    pDriverObject->DriverUnload = MyUnload;
30    return STATUS_SUCCESS;
31}


64位的代码


view source
print?
01#include <ntddk.h>
02 
03 
04VOID MyUnload(PDRIVER_OBJECT    pDriverObject)
05{
06    KdPrint(("驱动卸载成功\n"));
07}
08NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path)
09{
10    UNICODE_STRING funcName;
11    PVOID funcAddress;
12    ULONGLONG tmpAndData = 0xfffffff0ffffffff;
13    PVOID tempAddress = 0;
14    ULONG tempData;
15    PULONGLONG pIndexTableAddress;
16    ULONGLONG typeAddress;
17    POBJECT_TYPE objtype;
18    ULONGLONG Result[44];
19    ULONGLONG objectData;
20 
21    int index = 2;
22    int i = 0;
23    RtlInitUnicodeString(&funcName, L"ObGetObjectType");
24    funcAddress = MmGetSystemRoutineAddress(&funcName);
25    if (!MmIsAddressValid(funcAddress))
26    {
27        KdPrint(("函数地址获取失败\n"));
28        return STATUS_UNSUCCESSFUL;
29    }
30    else
31    {
32        KdPrint(("函数地址0x%llx\n", funcAddress));
33    }
34     
35    tempAddress = (PVOID)((ULONGLONG)funcAddress + 7);
36 
37    memcpy(&tempData, tempAddress, 4);
38 
39    //核心代码
40    pIndexTableAddress = (PULONGLONG)((ULONGLONG)funcAddress + 4 + (ULONGLONG)tempData + 7);
41 
42    //少一个步骤:
43    pIndexTableAddress = (PULONGLONG)(((ULONGLONG)pIndexTableAddress) & tmpAndData);
44 
45    KdPrint(("函数地址0x%llx\n", pIndexTableAddress));
46 
47    /*
48    for (i = 0; i < 44; i++)
49    {
50        KdPrint(("函数地址0x%llx\n", pIndexTableAddress+i));
51    }
52    */
53 
54     
55    while (pIndexTableAddress[index] != NULL)
56    {
57        DbgPrint("Result[%d]: %llx -- %wZ", index, pIndexTableAddress[index], pIndexTableAddress[index]+0x10);
58        index++;
59    }
60     
61    pDriverObject->DriverUnload = MyUnload;
62    return STATUS_SUCCESS;
63}


原文链接: [驱动开发]WIN7 32位 64位 的内核对象类型之获取 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( http://www.gyarmy.com/?post=502 )

发表评论

0则评论给“[驱动开发]WIN7 32位 64位 的内核对象类型之获取”